Re: [PATCH] mm,procfs: allow read-only remote mm access under CAP_PERFMON

[Andrii Nakryiko <andrii.nakryiko@gmail.com>]

On Thu, Jan 23, 2025 at 3:55 PM Jann Horn <jannh@google.com> wrote:
>
> On Fri, Jan 24, 2025 at 12:47 AM Kees Cook <kees@kernel.org> wrote:
> > On Thu, Jan 23, 2025 at 01:52:52PM -0800, Suren Baghdasaryan wrote:
> > > On Thu, Jan 23, 2025 at 1:44 PM Andrii Nakryiko <andrii@kernel.org> wrote:
> > > >
> > > > It's very common for various tracing and profiling toolis to need to
> > > > access /proc/PID/maps contents for stack symbolization needs to learn
> > > > which shared libraries are mapped in memory, at which file offset, etc.
> > > > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> > > > are looking at data for our own process, which is a trivial case not too
> > > > relevant for profilers use cases).
> > > >
> > > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> > > > discover memory layout of another process: it allows to fully control
> > > > arbitrary other processes. This is problematic from security POV for
> > > > applications that only need read-only /proc/PID/maps (and other similar
> > > > read-only data) access, and in large production settings CAP_SYS_PTRACE
> > > > is frowned upon even for the system-wide profilers.
> > > >
> > > > On the other hand, it's already possible to access similar kind of
> > > > information (and more) with just CAP_PERFMON capability. E.g., setting
> > > > up PERF_RECORD_MMAP collection through perf_event_open() would give one
> > > > similar information to what /proc/PID/maps provides.
> > > >
> > > > CAP_PERFMON, together with CAP_BPF, is already a very common combination
> > > > for system-wide profiling and observability application. As such, it's
> > > > reasonable and convenient to be able to access /proc/PID/maps with
> > > > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> > > >
> > > > For procfs, these permissions are checked through common mm_access()
> > > > helper, and so we augment that with cap_perfmon() check *only* if
> > > > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> > > > permitted by CAP_PERFMON.
> > > >
> > > > Besides procfs itself, mm_access() is used by process_madvise() and
> > > > process_vm_{readv,writev}() syscalls. The former one uses
> > > > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> > > > seems like a meaningful allowable capability as well.
> > > >
> > > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> > > > permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> > > > but that's outside the scope of this change), and as such won't be
> > > > affected by this patch.
> > >
> > > CC'ing Jann and Kees.
> > >
> > > >
> > > > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> > > > ---
> > > >  kernel/fork.c | 11 ++++++++++-
> > > >  1 file changed, 10 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/kernel/fork.c b/kernel/fork.c
> > > > index ded49f18cd95..c57cb3ad9931 100644
> > > > --- a/kernel/fork.c
> > > > +++ b/kernel/fork.c
> > > > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task)
> > > >  }
> > > >  EXPORT_SYMBOL_GPL(get_task_mm);
> > > >
> > > > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode)
> > > > +{
> > > > +       if (mm == current->mm)
> > > > +               return true;
> > > > +       if ((mode & PTRACE_MODE_READ) && perfmon_capable())
> > > > +               return true;
> > > > +       return ptrace_may_access(task, mode);
> > > > +}
> >
> > nit: "may" tends to be used more than "can" for access check function naming.
> >
> > So, this will bypass security_ptrace_access_check() within
> > ptrace_may_access(). CAP_PERFMON may be something LSMs want visibility
> > into.
> >
> > It also bypasses the dumpability check in __ptrace_may_access(). (Should
> > non-dumpability block visibility into "maps" under CAP_PERFMON?)
> >
> > This change provides read access for CAP_PERFMON to:
> >
> > /proc/$pid/maps
> > /proc/$pid/smaps
> > /proc/$pid/mem
> > /proc/$pid/environ
> > /proc/$pid/auxv
> > /proc/$pid/attr/*
> > /proc/$pid/smaps_rollup
> > /proc/$pid/pagemap
> >
> > /proc/$pid/mem access seems way out of bounds for CAP_PERFMON. environ
> > and auxv maybe too much also. The "attr" files seem iffy. pagemap may be
> > reasonable.
>
> FWIW, my understanding is that if you can use perf_event_open() on a
> process, you can also grab large amounts of stack memory contents from
> that process via PERF_SAMPLE_STACK_USER/sample_stack_user. (The idea
> there is that stack unwinding for userspace stacks is complicated, so
> it's the profiler's job to turn a pile of raw stack contents and a
> register snapshot into a stack trace.) So _to some extent_ I think it
> is already possible to read memory of another process via CAP_PERFMON.
> Whether that is desirable or not I don't know, though I guess it's
> hard to argue that there's a qualitative security difference between
> reading register contents and reading stack memory...

If I'm allowed to bring in BPF capabilities coupled with CAP_PERFMON,
then you can read not just stack, but pretty much anything both inside
the kernel memory (e.g., through bpf_probe_read_kernel()) and
user-space (bpf_probe_read_user() for current user task, and more
generally bpf_copy_from_user_task() for an arbitrary task for which we
have struct task_struct).

But we don't really allow access to /proc/PID/mem here, because it's
PTRACE_MODE_ATTACH (which is sort of like read/write vs read-only).

Similarly, it would be relevant for process_vm_readv(), but that one
(currently) is also PTRACE_MODE_ATTACH.